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(57) ABSTRACT 

The present invention provides a method and apparatus for 
determining the trust worthiness of executable packets, e.g., 
internet applets, being transmitted within a computer net- 
work. The computer network includes both secured com- 
puters and unsecured computers, which are associated with 
secured nodes and unsecured nodes, respectively. Each 
executable packet has a source address and a destination 
address. In one embodiment, an intelligent firewall deter- 
mines within a first degree of certainty whether the source 
address of an executable packet arriving at one of the 
secured computers is associated with anyone of the secured 
nodes, and also determines within a second degree of 
certainty whether the destination address of the executable 
packet is associated with anyone of the secured nodes. If the 
firewall determines within the first degree of certainty that 
the source address is associated with anyone of the secured 
nodes, and further determines within the second degree of 
certainty or is uncertain whether the destination address is 
associated with anyone of the secured nodes, then the 
firewall permits the executable packet to execute on the 
secured computer. Alternatively, if the firewall determines 
within the first degree of certainty or is uncertain whether the 
source address is associated with anyone of the secured 
nodes, and further determines within the second degree of 
certainty that the destination address is not associated with 
anyone of the secured nodes, then the firewall also permits 
the executable packet to proceed to the secured computer. 

20 Claims, 7 Drawing Sheets 
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MAINTAINING PACKET SECURITY IN A 
COMPUTER NETWORK 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

This invention relates to the field of security in a computer 
network. More particularly, the present invention relates to 
the field of packet security in a wide area network (WAN). 
An example of a byte code verifier system that can be used 
in connection with the present invention is disclosed in the 
following copending patent application, which is incorpo- 
rated herein by reference: "B YTECODE PROGRAM 
INTERPRETER APPARATUS AND METHOD WITH 
PRE VERIFICATION OF DATA TYPE RESTRICTIONS 
AND OBJECT INITIALIZATION", Ser. No. 08/575,291, 
by Frank Yellin and James Gosling, filed on the same day as 
the present application. 

2. Description of the Related Art 

FIG. 1A illustrates a typical computing environment 
wherein clusters of secured computers 110a, 110/?, . . . lOOz, 
120a, 1206, . . . 120r, . . . 160a, 1606, . . . 160z are coupled 
to each other to form local area networks (LANs) 110, 
120, . . . 160, respectively. Exemplary technologies 
employed for interconnecting LANs include Ethernet and 
Token-ring. In turn, LANs U0, 120, . . . 160 can be coupled 
to each other via network nodes 115, 125, . . . , 165 to form 
a secured wide area network (SWAN) 100a. Typical SWAN 
links include dedicated leased lines and satellite links which 
are less vulnerable to attack than public networks in general. 

In most commercial computing implementations, security 
is maintained by identifying internal computers whose use 
can be closely monitored, e.g., secured computers 110a, 
1106, . . . 1102, 120a, 1206, . . . 1202, . . . 160a, 1606, . . . 
160z, and also by enforcing a strict policy of not allowing 
any new executable programs to be executed in any one of 
the secured computers until these new programs have been 
verified as virus-free. Viruses can cause a variety of prob- 
lems such as damage to hardware, software, and/or data, 
release information to unauthorized personnel, and/or cause 
a host computer to become unusable through resource 
depletion. 

Unfortunately, most commercial networks have a need to 
be connected to external unsecured computers, such as the 
computers of telecommuting-employees and customers. For 
example, SWAN 100a may be coupled to external unsecured 
computers 190a, 1906, . . . 190z via an externally-accessible 
node 185a and a public switch 180. 

As this need to connect SWAN 100a to an increasing 
number of unsecured computers 190a, 1906, 190z via public 
switch 180 grows, the problem of guarding the secured 
computers of SWAN 100a against unauthorized data access 
and/or data corruption becomes increasing difficult. This 
problem is compounded by the proliferation of computers 
coupled to publicly and freely accessible WANs such as the 
Internet. Hence, externally accessible node 185a, the weak- 
est point of the otherwise-secure SWAN 100a, is increas- 
ingly vulnerable to hackers. 

Several techniques have been developed to minimize the 
vulnerability of node 185a to any uninvited intrusion. For 
example as discussed above, whenever possible, dedicated 
trunk lines of switch 180 are used to connect node 185a to 
unsecured computers 190a, 1906, . . . 190(2. A less costly but 
less secure alternative is the enforcement of a dialback 
protocol over a public network, in which an unsecured 
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computer, e.g., computer 190a, dials up node 185a, and then 
identifies the remote user's identity and location before 
hanging up. Subsequently, node 185a dials back computer 
190a at its pre-authorized location using a pre-authorized 

5 telephone number to ensure that the remote user is indeed 
located at the preauthorized location. 

Additional security at the packet level can also be pro- 
vided at node 185a, wherein node 185a functions as a dumb 
"firewall" which allows only pure ASCII files, e.g., textual 

to emails, and prohibits all attachments of the emails from 
leaving and/or entering SWAN 100a. Alternatively, node 
185a may scan all incoming packets to identify and prevent 
any untested executable code from entering SWAN 100a. 
Although the above-described security measures work 

15 fairly well for the exchange of data packets between SWAN 
100a and unsecured computers 190a, 1906, . . . 19Qz, they 
are too cumbersome and/or inadequate for exchanging pack- 
ets which include executable code. For example, in receiv- 
ing an executable Internet application based on Hot Java, a 

20 programming language that supports executable applets, 
such a broad prohibition of executable code will effectively 
prevent any untested Hot Java applets from being received 
and subsequently executed. 

Hence, there is a need for an intelligent firewall that 

2S provides real-time security testing of network packets, 
which may include executable code such as applets, and 
determines the risk level, i.e, trust worthiness, of each packet 
before permitting a lower-risk subset of the network packets 
to execute on anyone of the secured computers of SWAN 
100a in a manner transparent to a user. 

SUMMARY OF THE INVENTION 

The present invention provides a method and apparatus 
35 for determining the trust worthiness of executable packets, 
e.g., internet applets, being transmitted within a computer 
network. The computer network includes both secured com- 
puters and unsecured computers, which are associated with 
secured nodes and unsecured nodes, respectively. Each 
^ executable packet has a source address and a destination 
address. 

In one embodiment, an intelligent firewall determines 
within a first degree of certainty whether the source address 
of an executable packet arriving at one of the secured 

45 computers is associated with anyone of the secured nodes, 
and also determines within a second degree of certainty 
whether the destination address of the executable packet is 
associated with anyone of the secured nodes. 

If the firewall determines within the first degree of cer- 

50 tainty that the source address is associated with anyone of 
the secured nodes, and further determines within the second 
degree of certainty or is uncertain whether the destination 
address is associated with anyone of the secured nodes, then 
the firewall permits the executable packet to proceed to the 

55 secured computer. 

Alternatively, if the firewall determines within the first 
degree of certainty or is uncertain whether the source 
address is associated with anyone of the secured nodes, and 
further determines within the second degree of certainty that 

60 the destination address is not associated with anyone of the 
secured nodes, then the firewall also permits the executable 
packet to proceed to the secured computer. 

In another embodiment, the intelligent firewall determines 
within the first degree of certainty whether the source 

65 address of an executable packet arriving at one of the 
secured computers is associated with anyone of the secured 
nodes, or determines within the second degree of certainty 
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whether the destination address of the executable packet is one embodiment of intelligent firewall 185cl. Appendix Ais 

associated with anyone of the secured nodes. an exemplary pseudo-code implementation of this embodi- 

If the firewall determines within the first degree of cer- mcnt - 

tainty that the source address is associated with anyone of Referring to the flowchart of FIG. 2C, when firewall 

the secured nodes, then the firewall permits the executable 5 185cl receives an incoming or an outgoing network packet, 

packet to proceed to the secured computer. Alternatively, the an summation of the source address of the network packet 

firewall determines within the second degree of certainty K P e * orm ~ 5^ . ' . ^ , 

whether the destination address of the executable packet is u If ^ wal1 185 ^ determines within a degree of certainty 

associated with anyone of the secured nodes, then the * at mc "T? address xdentifies the packet as -onffrntoz 

c „ , . ' . . , , , , , ' , . in from one of the secured computer systems within SWAN 

firewall also permits the executable packet to proceed to the 1U 1Aft « ... / 4 , , AA 

, 100c, and upon examination of the destination address of the 

secured computer. packel ^ tep 2 ^ fi^all 185cl is uncertain or determines 

In the above-described embodiments, if none of the that the destination address of the packet is inside SWAN 

above-described trust-worthiness conditions are satisfied, 100c, then the packet is allowed to proceed (step 2030). 

then the firewall rejects the executable packet, thereby Alternatively, if firewall 185cl is either uncertain or deter- 

minimizing the risk of damage to the secured computer. 15 mines that the source address is outside SWAN 100c, and 

upon examination of the destination address of the packet 

DESCRIPTION OF THE DRAWINGS (step 2025), firewall 185cl determines within a degree of 

_ , certainty that the destination address of the packet is outside 

The objects, features and advantages of the system of the SWAN mc , then the packet is also allowed to proceed (step 

present invention will be apparent from the following 20 2030). 

description in which: Conversely, if firewall 185cl is uncertain or determines 

FIG. LAis a block diagram of a typical computer network. that the source address of the packet is outside SWAN 100c, 

FI G . IB is a block diagram of a general purpose computer and upon examination of the destination address (step 2025), 



system 



is uncertain or determines that the destination address of the 



t-i^ -i * i_i 1 j * c * *. j **u 25 packet is inside SWAN 100c, then the packet is rejected, i.e., 
FIG. 1C is a block diagram of a computer network of the v . , - ' * *u a « 
to r prevented from proceeding to anyone ot the secured corn- 
present invention. puters of SWAN 1QQc (step 2040) similarly, if firewall 

FIGS. 2A, 2B and 2C are a truth table, a block diagram lSScl determines within a degree of certainty that the source 

and a flowchart, respectively, illustrating one embodiment of address identifies the packet as originating from one of the 

the intelligent firewall of the present invention. 30 secured computer systems inside SWAN 100c, and upon 

FIGS. 3 A, 3B and 3C are a truth table, a block diagram examination of the destination address of the packet (step 

and a flowchart, respectively, illustrating another embodi- 2020), determines that the destination address of the packet 

ment of the intelligent firewall of the present invention. is outside SWAN 100c, then the packet is also rejected (step 

2040). 

DESCRIPTION OF THE PREFERRED 35 In this embodiment, a source/destination network address 

EMBODIMENT is considered uncertain if there is no match between the 

, , „ network address and a list of pre-approved secured network 

In the following description numerous details provide a addresses mside swan 10 0c. Other definitions of uncer- 

thorough understanding of the invention. These details ^ m For example, network addresses may 

include functional blocks and exeii^lary algontluns to assist mdude a ^ fidd and a machinc field> ^ the prefix 

one m implemenung an intelligent network firewall. In field identifying clusters of computer systems coupled to the 

addition, while the present invention is described with resp ective network nodes, and the machine field identifying 

reference to a specific computer network architecture and computer within each cluster . H ence, even though 

firewall algorithms for protecting the network the invention firewall 185cl me prefix fie ld of the packet 

is applicable to a wide range of network architectures and ^ Qne aseo ^ Mtad ^ a ^^md network node 

environments. In other instances, well-known circuits and SWAN 100c , if the machine field of the same packet does 

structures are not described in detail so as not to obscure the M ffiatch QDe Qf ^ pre _ approved ide ntifiers, the result is a 

invention unnecessarily. paftial match and ^ Qetwork addnss of the packet & 

FIG. 1C illustrates a secured wide area network (SWAN) considered an uncertain address by firewall 185cl. 

100c of the present invention, which includes clusters of 5Q nGS 3A> 3B ^ 3C are a table> a block d i agram 

secured computers 110a, llOfc, . . . UOz, 120a, 120&, ... and a flowchart, respectively, illustrating the operation of 

120?, . . . 160a, 160Z>, . . . 160z, coupled to each other to form ano ther embodiment of intelligent firewall 185cl. Referring 

local area networks (LANs) 110, 120, .. . 160, respectively. to me flowcha rt of FIG. 3C, when firewall 185cl receives an 

LANs 110, 120, 160 can be coupled to each other via incoming or an outgoing network packet, an examination of 

network nodes 115, 125, ... , 165. SWAN 100c is coupled 55 mc of mc nctW ork packet is performed (step 

to external unsecured computers 190a, 1906, . . . 190z via an 3010) 

externally-accessible network node 185c and a public switch [f firewall 185cl detcrmines w.thin a degree of certainty 

that the source address identifies the packet as originating 

In accordance with the present invention, node 185c from one of the secured computer systems inside SWAN 

includes an intelligent firewall 185cl. Node 185c can be the 60 iqo Cj then the packet is allowed to proceed (step 3030). 

general purpose computer 1000 of FIG. IB or a dedicated Alternatively, if firewall 185cl is either uncertain or deter- 

network packet router (not shown) suitable for implement- mines that the source address of the packet is outside SWAN 

ing firewall 185cl. For the purpose of illustrating the fol- 100c, and upon examination of the destination address of the 

lowing examples, "outside firewall 185cl" is equivalent to packet (step 3020), firewall 185cl determines within a 

outside secured wide area network (SWAN) 100c. 65 degree of certainty that the destination address of the packet 

FIGS. 2 A, 2B and 2C are a truth table, a block diagram is outside SWAN 100c, then the packet is allowed to proceed 

and a flowchart, respectively, illustrating the operation of (step 3030). 
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Conversely, if firewall 185cl is uncertain or determines 
that the source address of the packet is outside SWAN 100c, 
and upon examination of the destination address (step 3020), 
is uncertain or determines that the destination address of the 
packet is inside SWAN 100c, then the packet is rejected 5 
(step 3040). 

Additional security may be provided by intelligent fire- 
wall 185cl . For example, a byte code verifier may parse the 
executable code portion of the packet to eliminate invalid 
and/or non-conforming instructions in an attempt to reduce jq 
the probability of viruses. An example of a byte code verifier 
system that can be used in connection with the present 
invention is disclosed in the above-mentioned copending 
patent application, entitled: "BYTE CODE PROGRAM 
INTERPRETER APPARATUS AND METHOD WITH l5 
PRE-VERIFI CATION OF DATA TYPE RESTRICTIONS 
AND OBJECT INITIALIZATION". Other modifications 
and additions are also possible without departing from the 
spirit of the invention. Accordingly, the scope of the inven- 
tion should be limited by the following claims. 2 o 

What is claimed is: 

1. A method for determining the trust worthiness of 
executable packets in a computer network having a plurality 
of secured computers and a plurality of unsecured 
computers, each executable packet having a source address 2 s 
and a destination address, said method comprising the steps 
of: 

a) determining within a first degree of certainty whether 
a source address of one said executable packet is 
associated with anyone of said plurality of secured 30 
computers, said source address is not associated with 
anyone of said plurality of secured computers, or 
association of said source address with anyone of said 
plurality of secured computers is uncertain; and 

b) determining within a second degree of certainty 35 
whether a destination address of said one executable 
packet is associated with anyone of said plurality of 
secured computers, said destination address is not 
associated with anyone of said plurality of secured 
computers, or association of said destination address 40 
with anyone of said plurality of secured computers is 
uncertain. 

2. The method of claim 1 wherein if the determining step 
a) determines within said first degree of certainty that said 
source address is associated with anyone of said plurality of 45 
secured computers and if the determining step b) determines 
within said second degree of certainty or is uncertain 
whether said destination address is associated with anyone 

of said plurality of secured computers, then the method 
further comprises the step of permitting said executable 50 
packet to proceed. 

3. The method of claim 1 wherein if the determining step 
a) determines within said first degree of certainty or is 
uncertain whether said source address is associated with 
anyone of said plurality of secured computers and if the 55 
determining step b) determines within said second degree of 
certainty that said destination address is not associated with 
anyone of said plurality of secured computers, then the 
method further comprises the step of permitting said execut- 
able packet to proceed. 60 

4. The method of claim 1 wherein if the determining step 
a) determines within said first degree of certainty or is 
uncertain whether said source address is not associated with 
anyone of said plurality of secured computers and if the 
determining step b) determines within said second degree of 65 
certainty or is uncertain whether said destination address is 
associated with anyone of said plurality of secured 
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computers, then the method further comprises the step of 
prohibiting said executable packet from proceeding. 

5. The method of claim 1 wherein said executable packet 
includes an applet. 

6. The method of claim 1 wherein said determining steps 
a) and b) are executed by an intelligent firewall associated 
with said plurality of secured computers. 

7. A method for determining the trust worthiness of 
executable packets in a computer network having a plurality 
of secured computers and a plurality of unsecured 
computers, each executable packet having a source address 
and a destination address, said method comprising the step 
of: 

determining within a degree of certainty whether a source 
address of one said executable packet is associated with 
anyone of said plurality of secured computers, said 
source address is not associated with anyone of said 
plurality of secured computers, or association of said 
source address with anyone of said plurality of secured 
computers is uncertain. 

8. The method of claim 7 wherein if the determining step 
determines within said degree of certainty that said source 
address is associated with anyone of said plurality of secured 
computers, then the method further comprises the step of 
permitting said executable packet to proceed. 

9. The method of claim 7 wherein said executable packet 
includes an applet. 

10. The method of claim 7 wherein said determining step 
is executed by an intelligent firewall associated with said 
plurality of secured computers. 

11. A method for determining the trust worthiness of 
executable packets in a computer network having a plurality 
of secured computers and a plurality of unsecured 
computers, each executable packet having a source address 
and a destination address, said method comprising the step 
of: 

determining within a degree of certainty whether a des- 
tination address of one said executable packet is asso- 
ciated with anyone of said plurality of secured 
computers, said destination address is not associated 
with anyone of said plurality of secured computers, or 
association of said destination address with anyone of 
said plurality of secured computers is uncertain. 

12. The method of claim 11 wherein if the determining 
step determines within said degree of certainty that said 
destination address is not associated with anyone of said 
plurality of secured computers, then the method further 
comprises the step of permitting said executable packet to 
proceed. 

13. The method of claim 11 wherein said executable 
packet includes an applet. 

14. The method of claim 11 wherein said determining step 
is executed by an intelligent firewall associated with said 
plurality of secured computers. 

15. An intelligent firewall useful in association with a 
computer network having a plurality of secured computers 
and a plurality of unsecured computers, the firewall com- 
prising: 

a source address verifier configured to determine within a 
first degree of certainty whether a source address of an 
executable packet is associated with anyone of said 
plurality of secured computers, said source address is 
not associated with anyone of said plurality of secured 
computers, or association of said source address with 
anyone of said plurality of secured computers is uncer- 
tain. 

16. The intelligent firewall of claim 15 further compris- 
ing: 
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a destination address verifier configured to determine 
within a second degree of certainty whether a destina- 
tion address of said executable packet is associated 
with anyone of said plurality of secured computers. . 

17. An intelligent firewall useful in association with a 5 
computer network having a plurality of secured computers 
and a plurality of unsecured computers, the firewall com- 
prising: 

a destination address verifier configured to determine 
within a degree of certainty whether a destination 10 
address of an executable packet is associated with 
anyone of said plurality of secured computers, said 
destination address is not associated with anyone of 
said plurality of secured computers, or association of 
said destination address with anyone of said plurality of 15 
secured computers is uncertain. 

18. A computer program product including a computer- 
usable medium having computer-readable code embodied 
therein configured to verify addresses of a plurality of 
executable packets for a computer network, the computer 20 
network including a plurality of secured computers and a 
plurality of unsecured computers, the computer-readable 
code comprising 

a computer-readable source address verifier configured to 
determine within a first degree of certainty whether a 25 
source address of one said executable packet is asso- 
ciated with anyone of said plurality of secured 
computers, said source address is not associated with 



anyone of said plurality of secured computers, or 
association of said source address with anyone of said 
plurality of secured computers is uncertain. 

19. The computer program product of claim 18 wherein 
said computer-readable code further comprising: 

a computer-readable destination address verifier config- 
ured to determine within a second degree of certainty 
whether a destination address of said one executable 
packet is associated with anyone of said plurality of 
secured computers. 

20. A computer program product including a computer- 
usable medium having computer-readable code embodied 
therein configured to verify addresses of a plurality of 
executable packets for a computer network, the computer 
network including a plurality of secured computers and a 
plurality of unsecured computers, the computer-readable 
code comprising: 

a computer-readable destination address verifier config- 
ured to determine within a degree of certainty whether 
a destination address of one said executable packet is 
associated with anyone of said plurality of secured 
computers, said destination address is not associated 
with anyone of said plurality of secured computers, or 
association of said destination address with anyone of 
said plurality of secured computers is uncertain. 
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